• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – GoldBrute Botnet Brute Forcing 1.5 Million RDP Servers
June 10, 2019
Rewterz Threat Alert – Government Sector in Central Asia Targeted With New HAWKBALL Backdoor
June 10, 2019

Rewterz Threat Alert – Over 185,000 Payment Card Details Stolen by MageCart

June 10, 2019

Severity

Medium

Analysis Summary

A credit card skimming campaign recently observed that steals payment card details from compromised websites.

MageCart is the name given to numerous cybercriminal groups that embed digital skimmers on compromised e-commerce sites. The group made global headlines for a series of high-profile breaches on Ticketmaster, British Airways, and Newegg. These groups are still active and continue to target online stores to steal payment card details from unaware customers.

MageCart Skimmer

The malicious javascript code, also called CoffeMokko JS-sniffer, has been around since May 2017. While the skimmer has been modified several times, we will be focusing our analysis on the latest sample. The skimmer is loaded by a direct link in the compromised website’s HTML code and has the following URL format:

                                                                         <C&C >/src/<compromised website>.js
                                                                        <C&C>/js/<compromised website>.js
                                                                        <C&C>/assets/<compromised website>.js

image_102708167.img.png

Taking a look at the skimmer javascript, some strings are obfuscated to avoid crawlers and signatures detecting their malicious code. Upon deobfuscation, an array is created with interesting strings, such as the C&C (foodandcot[.]com) and other strings to identify the payment form on the targeted website.

image_1327433563.img.png

To check that the current page is the payment page, it searches for the keywords onepage, checkout, onestep, and firecheckout in the URL address. Once it is on the correct page, it intercepts the following details after an unaware customer fills in the fields:

image_1315692190.img.png

Without knowing the replaced characters, it would be difficult to decode back the original information.

The encoded stolen information is sent via a POST request to /tr/index.php, which is the same C&C where the malicious javascript is being hosted.

image.img.png

Inspecting the C&C with the IP address 178.33.231[.]184 revealed other domains it is hosting. As expected, these domain names attempts to imitate legitimate e-commerce websites related to different services and products (e.g. food, fitness, espresso, etc.). This makes it more difficult to spot something suspicious during static analysis.

image_511962868.img.png

Impact

Exposure of sensitive information

Indicators of Compromise

IP(s) / Hostname(s)

178[.]33[.]231[.]184

URLs

  • foodandcot[.]com
  • freshdepor[.]com
  • https[:]//foodandcot[.]com/src/yolenis[.]js
  • https[:]//freshdepor[.]com/src/yorkarmoury[.]js
  • https[:]//swappastore[.]com/src/ispeeches[.]js
  • https[:]//swappastore[.]com/src/turtlecase[.]js
  • swappastore[.]com
  • verywellfitnesse[.]com

Malware Hash (MD5/SHA1/SH256)

  • 9b31482f35209ea49bd2daed2fdb16d7196fa54034b6e72576050ca7799ed352

Remediation

Block threat indicators at your respective controls.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.